Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Malicious advertisements on major websites lead to ransomware

Jeremy Kirk | June 6, 2014
Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and others are leading people to malware that encrypts a computer's files until a ransom is paid, Cisco Systems has found.

In the next stage of the attack, a ransomware program called "Cryptowall," a relative of the infamous Cryptolocker malware, is installed. It encrypts the user's files, demanding a ransom. In another sign of the operation's sophistication, the website where users can pay the ransom is a hidden website that uses The Onion Router, or the TOR network.

To navigate to a TOR hidden website, a user must have TOR installed, which Cryptowall helpfully provides instructions for how to install. Those who delay paying the ransom find it increases as time passes.

Because of the use of TOR and the technically complex attack chain, Cisco hasn't yet been able to identify a group behind the attacks.

Gundert said it is likely that several groups or people with different skills — such as malvertising, traffic redirection, exploit writing and ransomware campaigns — are working together.

"You could have a threat actor putting together all of these pieces on their own, but there are so many different specialties involved in this attack chain," he said.

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.